Australian Capital Territory Privacy

The Information Privacy Act 2014 (ACT) regulates how personal information is handled by ACT public sector agencies. This Act includes a set of Territory Privacy Principles, which cover the collection, use, storage and disclosure of personal information, and an individual’s access to and correction of that information.

The Information Privacy Actcommenced on 1 September 2014 and replaces the Privacy Act 1998 (Cth) as in force on 1 July 1994 (and as modified by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth), which previously applied to ACT public sector agencies. More information on the Information Privacy Principles that applied before 1 September 2014 can be found at Information Privacy Principles.

What is the role of the OAIC?

Under an arrangement between the ACT Government and the Australian Government, the Australian Information Commissioner is exercising some of the functions of the ACT Information Privacy Commissioner. These responsibilities include handling privacy complaints against, and receiving data breach notifications from, ACT public sector agencies, and conducting assessments of ACT public sector agencies’ compliance with the Information Privacy Act.

Rights and responsibilities under the Information Privacy Act

Who has rights under the Information Privacy Act?

As an individual, the Information Privacy Act 2014 (ACT) gives you greater control over the way that your personal information is handled. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

The Information Privacy Act allows individuals to:

know why your personal information is being collected, how it will be used and who it will be disclosed to

have the option of not identifying yourself, or of using a pseudonym, in certain circumstances

ask for access to your personal information

ask for your personal information that is incorrect to be corrected

make a complaint about an agency or contractor covered by the Information Privacy Act, if you consider that they have mishandled your personal information.

Who has responsibilities under the Information Privacy Act?

The Information Privacy Act applies to ACT public sector agencies. This includes:

Ministers (in their administrative capacities)

administrative units

statutory office-holders and their staff

territory authorities

territory instrumentalities

territory-owned corporations

ACT courts (in their administrative capacities)

any entity prescribed by regulation.

The Act also applies to some businesses who are contracted service providers (including subcontractors) for an ACT Government contract and are performing obligations under that contract.

What is not covered by the Information Privacy Act?

The Information Privacy Act does not cover:

individuals acting in their own capacity, including your neighbours

private organisations (except to the extent that they are performing obligations under an ACT Government contract)

Territory Privacy Principles

The Information Privacy Act 2014 (ACT) includes a set of Territory Privacy Principles (TPPs). The TPPs set out standards, rights and obligations for the collection, use, disclosure, storage, accessing and correction of personal information (including sensitive information).

The TPPs are principles-based rather than prescriptive. Each ACT public sector agency needs to apply the principles to its own situation. The principles cover:

the open and transparent management of personal information including having a privacy policy (TPP 1)

an individual having the option of transacting anonymously or using a pseudonym where practicable (TPP 2)

the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection (TPPs 3, 4 and 5)

how personal information can be used and disclosed (including disclosure overseas) (TPPs 6 and 8)

maintaining the quality of personal information (TPP 10)

keeping personal information secure (TPP 11)

rights for individuals to access and correct their personal information (TPPs 12 and 13)

TPPs and the Australian Privacy Principles

The TPPs are similar to the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) that apply to most Australian Government (and Norfolk Island Government) agencies and some private sector organisations.

Some of the APPs are not relevant to the handling of personal information by ACT public sector agencies and have not been included in the TPPs. For example, APP 7, which deals with the use and disclosure of personal information for the purpose of direct marketing, and APP 9, which regulates the adoption, use and disclosure of government related identifiers are not included.

The TPPs also contain some minor textual differences to the APPs, but these do not change the meaning of the principle. For example, the phrase ‘the entity must take such steps (if any) as are reasonable in the circumstances’ is used in the APPs while a similar phrase, ‘the agency must take reasonable steps’, is used in the TPPs.[1] While expressed differently, both provisions could be satisfied by taking no steps if that is reasonable in the particular circumstances.

How to make a complaint

Individuals can make a complaint to the Office of the Australian Information Commissioner (OAIC) about the handling of their own personal information by ACT public sector agencies. Where an individual’s complaint is upheld, the OAIC is required to notify the individual that they can apply to a court for a remedy.

Application of the Notifiable Data Breaches scheme to ACT public sector agencies

The Notifiable Data Breaches (NDB) scheme commenced on 22 February 2018, introducing a requirement to notify individuals likely to be at risk of serious harm from a data breach. The OAIC must also be notified.

The NDB scheme applies to entities with existing information security obligations under the Privacy Act 1988 (Cth). Relevantly, the scheme applies to file number recipients that hold tax file number (TFN) information.

ACT public sector agencies hold TFN information for a number of reasons, but most commonly, for their employment and payroll functions.

If an ACT public sector agency experiences an eligible data breach involving TFN information, it must notify affected individuals and the OAIC. However, ACT public sector agencies are not required to notify data breaches that affect other types of personal information they hold.

ACT privacy resources

The ACT Justice and Community Safety Directorate has established a Privacy Clearinghouse. The Privacy Clearinghouse provides a first point of contact for ACT public sector agencies and staff to access privacy advice, resources and training. To contact the Privacy Clearinghouse email privacy.clearinghouse@act.gov.au.

If an ACT public sector agency has queries about the operation of the Information Privacy Act, those queries should be directed to the Privacy Clearinghouse first, rather than the OAIC. The Clearinghouse will forward questions to the OAIC where appropriate.

The OAIC has also developed a range of privacy resources for the general public and ACT public sector agencies in relation to the Information Privacy Act.

In addition, the OAIC has developed a range of privacy resources to provide information and advice to the general public, private sector organisations and Australian Government agencies in relation to the Australian Privacy Principles (APPs). The obligations for Australian Government agencies under the APPs are substantially similar to those of ACT public sector agencies under the TPPs and the materials may be usefully referred to.